Notes on GSS-API Negotiation Mechanism

Client sends an initial negotiation message to the server which specifies the list of mechanisms the client can support in order of decreasing preference. This message is generated with the NewNegTokenInitKrb5 method. The message generated by this function specifies only a kerberos v5 mechanism is supported.

The RFC states that this message can optionally contain the initial mechanism token for the preferred mechanism (KRB5 in this case) of the client. The NewNegTokenInitKrb5 includes this in the message.

The server side responds to this message with a one of four messages:

Message Type/StateDescription
accept-completedindicates that the initiator-selected mechanism was acceptable to the target, and that the security mechanism token embedded in the first negotiation message was sufficient to complete the authentication
accept-incompleteAt least one more message is needed from the client to establish security context.
rejectNegotiation is being terminated.
request-mic(this state can only be present in the first reply message from the target) indicates that the MIC token exchange is REQUIRED if per-message integrity services are available